Skillset

Introduction

This White Paper describes an approach for creating a secure cloud environment which helps Project Teams to deploy their projects easily in the cloud environment while not compromising the security. The document also takes you through the risks and factors involved in the cloud model and how to treat them. This document is cloud-provider agnostic, for examples and demo we have taken Microsoft Asure Cloud Service provider platform throughout the content.

Cloud Computing Basics

The Characteristics of a Cloud Service

On-Demand self-service: Getting things done just by a click, no human intervention, for example, to get a storage space consumer just have to do some simple clicks.

Broad Network Access: The capabilities of the cloud are available over the network (By accessing the Internet Can provision those on demand service).

Resource Pooling: Pooling the resource among different tenants.

Rapid elasticity: The cloud can expand and contract based on the consumer requirement.

Measured Service: It can be measured and can be charged based on how much resources consumer uses. Ex- computing power, storage, bandwidth, etc.

Understanding IaaS, PaaS, SaaS

Cloud Deployment Model

Private Cloud: The organization chooses to have their own cloud wherein the resource pooling is done by the organization itself (Single Organization cloud), it has not been shared with other organization. May be or may not be at premises.

Public Cloud: Different tenants are doing the resource pooling among the same infrastructure.

Pros: It can be easily consumable, and the consumer can provision the resource.

Cons: Consumer will not get the same level of isolation as a Private cloud.

Community Cloud: Sharing the Cloud with different organizations usually unified by the same community sharing underlined infrastructure (half way between private and public) small organizations pooling resources among others.

Hybrid: Mixture of both private and public i.e. some organization might say we would like elasticity and cost effectiveness of public cloud and we want to put certain applications in private cloud.

NIST Cloud Computing Reference Architecture

The Promise of the Cloud

Organizational Cloud Security Considerations

Application Security Risks Remains the Same

No matter how much we harden the cloud, if the application hosted is buggy, the organization vulnerable to all sorts of attack.

Data Sovereignty

Data Sovereignty is the concept- that information which has been converted and stored in a binary digital form subject to the laws of the country in which it is located.

The screenshot shows how the services vary based on the continents.

The screenshot shows the restrictions based on the countries.

As consumer’s business expands all around the globe, the consumer should always give a thought on what regions which services should be given and the data which has to be stored, as various cloud services are varies based on the juridical laws of the country.

There have been cases when the country’s government has unlawfully leaked confidential data from the cloud.

Here is the request form to the Cloud Provider (Asure) before starting off with the pentesting.

Don’t forget to read the terms and conditions of the cloud provider (Asure in this case) before starting the PenTest.

Cloud Computing Commercial Considerations (IMPACT – HIGH)

Cloud Provider Acquisition – When a cloud provider is acquired by another organization, there are many changes which come into picture such as changed infrastructure, pricing structure changes, etc. these changes impact the services which the cloud provider is providing it may degrade or enhance. The consumer should always consider the Cloud Provider Lock-in time period for the service that they are getting.

Shadow IT (IMPACT – HIGH)

Shadow IT is an information technology systems and solutions built and used inside organizations without explicit organizational approval.

Why Impact in High?

The organizations which have implemented cloud in their environment they always suffer shadow IT, the information technology systems and solutions may be infected with malware, viruses or may have a Zero day through which an adversary can take an advantage and can cause data leak, system shutdown, DDoS, etc. following are the examples of causing SHADOW IT

Connecting physical devices, like USB sticks and external hard drives, directly to the corporate network, and using them to transfer sensitive information in BYOD environment.

Attacking the Bandwidth- Attacker setting up his own cloud, downloads bulk data from the victim’s cloud (here its Egress Data which has cost), but here the attacker has IN-gress data which has no cost hence causing the overhead on the cloud infrastructure proportionally increasing the cost.

Hardening

Disable autoscaling which is enabled by default.

Implementing Hardware Security Module (HSM)

A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing.

Below is Asure’s key vault management system.

Ethical Hacking Training – Resources (InfoSec)

Here is how the whole process works

Hardening the Configuration

Following are the checks that should be taken into account during cloud implementation.

Business Continuity and Disaster Recovery

During a catastrophic disaster, how should the data be secured, stored and retrieved? There is always a question. Here we have taken an example of Microsoft Asure platform to show the settings how the replication of data should be done.

There are four options

Zone-redundant Storage (ZRS) – Microsoft will store the data in different data center.

Local-redundant storage (LRS) – Microsoft will have three replications of data at the same data center.

Geo-redundant storage (GRS) – Microsoft will store the data in a different data center at a different geo-location.

Read-access geo-redundant storage (RA-GRS) – None of the above have read access to data if the consumer select this option they will have read access to data stored in geo-location. (Recommended)

Implementing Security as a Service

There are varied cloud security solutions which protect the cloud from various attacks like DDoS, Application Security Vulnerabilities, Traffic Monitoring, Malware Detection, etc. Cloud flare is one such solution and has a large customer database.

Many cloud providers also provide security as a service, here is an example of Microsoft Asure’s security as a service.

Conclusion

As we have noted throughout this document, cloud computing has the potential to be a disruptive force by affecting the deployment and use of technology. The cloud could be the next evolution in the history of computing, following in the footsteps of mainframes, minicomputers, PCs, servers, smartphones, and so on, and radically changing the way enterprises manage IT. Yes, plenty of questions are still left to be answered regarding security within the cloud and how customers and cloud service providers (CSPs) will manage issues and expectations, but it would be a severe understatement to say simply that cloud computing has generated interest in the marketplace.

The hype regarding cloud computing is unavoidable. It has caught the imagination of consumers, businesses, financial analysts, and of course, the CSPs themselves. Search for “cloud computing” on the Internet, and you will uncover thousands of articles defining it, praising it, ridiculing it, and selling it.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

+ nine = 17

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam